Knowledge Center Search


 

[SRX] When and how to configure Proxy ARP

  [KB21785] Show KB Properties

  [KB21785] Hide KB Properties

Categories:
Knowledge Base ID: KB21785
Last Updated: 10 Dec 2013
Version: 4.0

Summary:

This article describes when and how to configure Proxy ARP, with examples.

The Resolution Guides for SRX NAT refer to this article.

Problem or Goal:

NAT configuration on SRX is not working. You followed the steps in the Resolution Guides for SRX NAT, and it referenced this article for configuring Proxy ARP. 

  • When do you configure Proxy ARP?
  • How do you check if Proxy ARP is configured?
  • How do you configure Proxy ARP?

Cause:

Solution:

When to configure Proxy ARP

As specified in Configuring Proxy ARP (CLI Procedure), Proxy ARP should be configured for the following scenarios:

  • When addresses defined in the static NAT and source NAT pool are in the same subnet as that of the ingress interface   (Source NAT and Static NAT scenario)
  • When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface   (Destination NAT scenario)
Example: 
Below is a simple explanation of Proxy ARP for the Static NAT Scenario.



SRX interface ge-0/0/0.0 is 1.1.1.1/24              
Upstream Router IP Addr  can be anything between 1.1.1.3 -----and----- 1.1.1.254


The Upstream router needs to send a packet to the Destination IP address 1.1.1.2. It will send an ARP Request for the IP address 1.1.1.2. If Proxy ARP is not configured on the SRX, the SRX will not reply to the ARP Request as it does not have the IP address configured on the interface ge-0/0/0.0. The ARP request will timeout and the packet will be dropped at the Upstream router.  However, if Proxy ARP is configured for interface ge-0/0/0.0 for the IP 1.1.1.2, then when the Upstream router sends a ARP Request out for the IP address 1.1.1.2, the SRX will respond to the ARP Request.  Then the Upstream router will be able to send the packet to the Destination IP address 1.1.1.2 (and the MAC address of the SRX).


How to check if Proxy ARP is enabled

Run the following configuration mode command:
 
root# show security nat proxy-arp 
Below is an example of a Proxy ARP configuration.  (If nothing is returned with the above command, then Proxy ARP is not configured.)
root# show security nat proxy-arp
interface ge-0/0/0.0 { ## The interface where the proxy-arp is configured
address {
2.2.2.3/32; ## The 2 IPs where the packet will be destined
2.2.2.4/32;
}

}

How to configure Proxy ARP

The instructions for configuring Proxy ARP are documented here:  Configuring Proxy ARP (CLI Procedure).

Below is Configuration Example:

  1. Check if the Proxy ARP configuration is present or not:
    # show security nat proxy-arp
  2. Identify the address for which the Proxy ARP is needed.

    If Source NAT / Destination NAT is configured for IP 1.1.1.2, then the Proxy ARP will be configured for the IP address 1.1.1.2.

  3. Select the interface to which the NAT is performed.

    This decision is based on the IP addresses obtained in the previous step.

    IP 1.1.1.2 is in the IP network of the interface ge-0/0/0.0

    Verify the IP address of the interface ge-0/0/0.0:
    #show interfaces ge-0/0/0.0
    family inet {
         address 1.1.1.1/24;
    }
    The IP 1.1.1.2 belongs to the same network as 1.1.1.1/24.

  4. Configure the Proxy ARP.

    Address chosen is: 1.1.1.2
    Interface chosen is: ge-0/0/0.0

    Proxy ARP command is:
    set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.2/32

    To verify:
    # show security nat proxy-arp 
    interface ge-0/0/0.0 {
        address {
            1.1.1.2/32;
        }
    }
    

Other Example:

The Destination NAT example is same as the Static NAT example above. 

Below is a Source NAT example.  This is how to configure Proxy-ARP when the Source NAT is configured for an IP which is not the External interface IP, but in the same network as that of External Interface IP.


In this example, Source NAT is configured with an IP pool (1.1.1.3/32 - 1.1.1.4/32), which is on the same subnet as the SRX interface (1.1.1.1/24). 

The Client requires their IP address 192.168.5.12 to be translated to 1.1.1.3/32 or 1.1.1.4/32 (from the Source NAT Pool).

 

In this case, Proxy-ARP needs to be configured for the interface ge-0/0/0.0, mapping the interface MAC to the IP address 1.1.1.3 and 1.1.1.4:

 
root# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3
root# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.4

Purpose:
Configuration
Implementation
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.